The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for impairing system defenses before deploying the encryptor.
This mature portfolio of EDR-terminating tools is centered around a framework that's known as GentleKiller.
"They also incorporate third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller," ESET security researcher Jakub Souček said in a report shared with The Hacker News. "These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied legitimate certificates and icons."
The Slovakian cybersecurity company also called out the ransomware crew for its ability to "unusually quickly operationalize" newly disclosed proof-of-concept (PoC) exploits related to an attack technique called the bring your own vulnerable driver (BYOVD) technique, in many cases within days of their public release.
Since its emergence in March 2025, The Gentlemen has swiftly risen up the ranks and made a name for itself as one of the most active ransomware groups. Per data from Ransomware.live, the group has claimed 504 victims to date, with most of them located in Southeast Asia, South America, and Western Europe.
